FortiADC & FortiDDoS-F -- Read-Only user able to modify system files

Summary

An improper privilege management vulnerability [CWE-269] in FortiADC and FortiDDoS-F may allow a remote authenticated attacker with restricted user profile to modify the system files using the shell access.

Affected Products

FortiDDoS-F version 6.3.0
At least
FortiADC version 6.2.0 through 6.2.1
FortiADC version 6.1.0 through 6.1.5
FortiADC 6.0 all versions
FortiADC 5.4 all versions
FortiADC 5.3 all versions

Solutions

Please upgrade to FortiADC version 6.2.2 or above.
Please upgrade to FortiADC version 7.0.0 or above.

Please upgrade to FortiDDoS-F version 6.3.1 or above
Please upgrade to FortiDDoS-F version 6.2.3 or above
Please upgrade to FortiDDoS-F version 6.1.5 or above

Acknowledgement

Fortinet is pleased to thank Danilo Costa from Conviso Application Security for reporting this vulnerability under responsible disclosure.